Re: WORMS, VIRUS AND USER RIGHTS

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 09/09/04


Date: Thu, 9 Sep 2004 14:54:32 -0400

Doing so protects a little against some kinds of attacks but not others. It
does not help against most network worms as those gain system level
privileges whether or not any user is logged in at all. It could help a
little against, say, Internet explorer exploits, although normal users still
have permissions to install various IE objects and other things.

Restricted user permissions are more helpful for preventing users from
installing software and making changes. In some cases this might reduce
help desk calls, but it does take some work to support such a locked down
configuration. Also, if your users are local administrators, you can't
prevent them from doing anything. Anything you can do, they can undo.

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:82ADEEB9-92C2-4790-9A65-05145F734AE1@microsoft.com...
> I have a question concerning user rights and the impact on protecting
against
> virus and worms:
>
> I am planning on setting up a group of machines for some clerks in our
> office. I want to make their user accounts to be set to priveledge group:
> USERS. I am hoping this will prevent a virus from being opened via an
email
> attachment and installed on the machine.
>
> My question is this: does having these users set to user level: USERS
really
> make a difference for protection against a network worm? I am under the
> understanding that a network work takes advantage of a vulnerability in
the
> OS and then will escalate its priveledge level to an Administrator
account.
> Therefore, if network traffic is limited to only my internal network, does
it
> make any sense to restrict the clerks to USER level? A worm will probably
> infect the machine even if the current user on the machine is set to
> priveledge level: USER. The clerks will not be able to web-browse so the
IE
> exploits will not take effect.. and the only worry is if the clerks double
> click a virus that will come via email (we may strip all attachments from
> their email) and remove html preview.
>
> The reason for this question is that the apps that they need have to use
an
> admin account. I have used RUNAS and other 3rd party programs to aid the
> setup, but it is not a clean setup. So, I would rather have them as local
> admin, with network restrictions.. any ideas if this logic is correct? In
> your opinion, what is a better setup: local admin rights with network
> restrictions, or USER rights with a complicated setup and no network
> restrictions?
>
> Much appreciated in advance,
>
> Dan



Relevant Pages

  • Re: WORMS, VIRUS AND USER RIGHTS
    ... Dan ... > does not help against most network worms as those gain system level ... >> setup, but it is not a clean setup. ...
    (microsoft.public.security)
  • RE: Securing a Local Network
    ... Show the Management of your company the insecurity of the Peer to Peer ... setup and discuss what risks are they willing to accept. ... -Cost of getting the web server and the mail server internally versus having ... -Use an older box for Intrusion Detection on the internal network as well. ...
    (Security-Basics)
  • Re: Client computer wont connect to internet ATTN: Joe Crown
    ... for my host/client setup. ... >When I supported Windows 98 & Windows ME the most common cause of ... >> When I try to connect to the internet using Firefox or Internet ... >> 7) In the Manufacturers box, click Microsoft, in the Network Protocols ...
    (microsoft.public.windowsxp.network_web)
  • Re: Network Connections x 2 PCs
    ... The setup is quite ... >>> If you have a broadband router, run XP's Network Setup Wizard on both ... tell it that the computers connect to the ... >>> If you have a hub, the setup depends on how many IP addresses you get ...
    (microsoft.public.windowsxp.general)
  • RE: Site-to-Site VPN not working
    ... I was looking through my documentation on this setup. ... In ISA on the remote server, add a site-to-site VPN using the name of the ... add a Network Rule called REMOTEOFFICE to route ...
    (microsoft.public.isa)